Video Screencast Help
Security Response
Showing posts for June of 2006
Showing posts in English
Peter Ferrie | 30 Jun 2006 07:00:00 GMT | 0 comments

Things have been pretty interesting here lately. The first virus for Sun Microsystems’ StarOffice appeared, although it wasn't a real virus because it didn't actually work. We also received reports of the first parasitic virus for the .chm (compiled HTML help file) file format, and reports of the first virus that is an IDA plug-in. I say "reports" because we have been told these two viruses exist but we have not received any samples to prove it.

The StarOffice virus just goes to show that virus writers don't test their code. Despite four attempts (represented by the samples that we received; who knows how many others we didn't receive) the virus author still couldn’t seem to work out why his code wasn’t infecting anything. However, hot on the heels of these initial samples was the...

Symantec Security Response | 30 Jun 2006 07:00:00 GMT | 0 comments

We are seeing signs of worm activity over instant messaging (IM) andwanted to warn you not to let your curiosity get the better of you.You’ve heard the saying about curiosity killing the cat, right?

Ina nutshell, IM users are receiving messages that say "check out thesepics of us!", with a link provided in the IM window to either "p1392.pic-myspace .info" or "p1377. pic-myspace .info". When unsuspectingvictims click on the link, thinking that they are going to the MySpaceWeb site, they are instead transported to another Web site at whichpoint a malicious downloader gets installed on the victim's machine.From what we can tell, this particular downloader tries to install abunch of applications, presumably with the intent to earn the site'sowner some commission. While this is probably more of an annoyance thananything else, if you ask me, the good news is that Symantec customershave been protected from this type of attack since December 2005.

At the end of the day, if...

Elia Florio | 29 Jun 2006 07:00:00 GMT | 0 comments

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the list of...

Ollie Whitehouse | 28 Jun 2006 07:00:00 GMT | 0 comments

These days, I spend a lot of my time looking at mobile devices and wireless technologies from a security perspective. I am particularly interested in the convergence of technology, and something that recently made me sit up and say “Here we go again!” is Wireless USB.

A development group has written a specification document for Wireless USB. The collaborative group (made up of representatives from Agere, Hewlett-Packard, Intel, Microsoft, NEC, Philips, and Samsung) is confident in the development of Wireless USB because they believe that it is a logical evolution of the ubiquitous technology of wired USB. The specification document states that Wireless USB can utilize the existing USB infrastructure and the USB model of smart host and simple device, but I am more interested in the security...

Yazan Gable | 27 Jun 2006 07:00:00 GMT | 0 comments

It has been said that the biggest securityproblem for computers and networks is the user. Every black hat worththeir salt knows that the best way to get information from a targetcomputer or network is to manipulate its user or users. The user setsthe password, knows what’s on the computer, and often knows how toconnect to it from outside of the organization. A little socialengineering by an attacker and then blammo!—the user and theirorganization are compromised.

Simple social engineeringcan go a long way, but the existence of certain vulnerabilities canmake the lives of these social-engineering black hats a whole loteasier. Enter the Microsoft HLINK.DLL Link Memory Corruption Vulnerability,which is a critical flaw in the Microsoft Office Excel application.Using this vulnerability, an attacker could take control of a computerby simply downloading the publicly available exploit and...

Ollie Whitehouse | 23 Jun 2006 07:00:00 GMT | 0 comments

When I look back on it now, MicrosoftOffice is a veritable Petri dish of threat evolution. From attackerslearning how to use intended functionality for malicious purposes,through to exploiting vulnerabilities in the applications themselves,an increased understanding and familiarity with the technology can beseen.

Let me explain. Once upon a time there were macroviruses in Microsoft Office documents that caused havoc. These viruseswere easy to mitigate because Microsoft simply updated Office to promptthe user for further action when opening a document with unsignedmacros. Alternatively, if Office was configured correctly by the user,only signed macros in trusted locations could be executed.

Fast forward four years or so, and we see that Microsoft Office isbeing used a semi-trusted vehicle to exploit buffer overflows in theentire Office suite. Most businesses rely on the transfer of Word,Excel, PowerPoint, Access, Project, or Visio files to exchangeinformation....

Marc Fossi | 21 Jun 2006 07:00:00 GMT | 0 comments

Almost everyone is aware of the nuisance caused by spam email. When we get to work in the morning we have to delete a bunch of useless messages from our Inbox before we can start the day. When we get home we have to do the same thing before getting around to reading messages from friends and family. Do you ever wonder how these spammers came by our email addresses in the first place?

There are several ways for spammers to gather email addresses to send their messages to. One of the oldest techniques involves sending a “bot” to crawl around on different Web sites, Usenet groups, and other similar Internet resources searching for email addresses. While this method works, it is time-consuming and prone to gathering addresses that are outdated and no longer in use. Another popular method involves generating email addresses using a technique called brute forcing. This method tries sending spam to addresses composed of every possible combination of letters and numbers (for...

Ollie Whitehouse | 16 Jun 2006 07:00:00 GMT | 0 comments

Phreaking ("analog style") emerged in the1960s and was around for over 30 years until it started to die out inthe mid-1990s. In my opinion the term is best described by Wikipedia: "Phreakingis a slang term coined to describe the activity of a subculture ofpeople who study, experiment with, or exploit telephones, the telephonecompany, and systems connected to or composing the Public SwitchedTelephone Network (PSTN) for the purposes of hobby or utility. The term‘phreak’ is a portmanteau of the words ‘phone’ and ‘freak’.”

We'vestarted to see a number of documented cases that point to a resurgencein phreaking, but this time it's not analog networks that are beingexploited; instead, it’s 21st century VoIP networks. I remember when Ifirst started playing with VoIP in 2002, entrenched in the lab with an AsteriskPBX and one...

Liam O Murchu | 14 Jun 2006 07:00:00 GMT | 0 comments

I would never associate the phrase "good ethics" with rogue anti-spyware. Maybe "questionable ethics" or, indeed, "no ethics" are phrases that would be more appropriate! We encounter questionable ethics everyday in the lab, especially when dealing with rogue applications. I will provide some information below on one of the best examples of rogue anti-spyware we have seen in the lab, called "Punisher".

Symantec detects this rogue application as Punisher, but it is also known as Remedy AntiSpy, SystemStable, HitVirus, and Adware Bazooka in the industry. Rogue applications often employ a technique of using various guises, where the application will be advertised and distributed using seemingly different software applications that all turn out to be exactly the same (except, perhaps, a different skin).

We made observations on...

Symantec Security Response | 11 Jun 2006 07:00:00 GMT | 0 comments

Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.

A new Yahoo! Mail worm, JS.Yamanner@m , is making the rounds by utilizing a vulnerability affecting webmail. Yahoo! Mail...